OpenSSH 8.2 Released With Two-Factor Authentication Hardware Support

Advancements in computing power pose a threat to the time complexity as hackers can now easily break the encryption systems. Hence, the need for improvements in security tools is also becoming a challenge.

As a result, the open-source secure shell tool OpenSSH leaps forward with the release of v8.2. OpenSSH 8.2 includes key changes to further strengthen the remote login channel from external collision attacks.

OpenSSH 8.2 Deprecates SSH-RSA Algorithm

OpenSSH comprises a suite of tools providing secure and encrypted remote operation, key management and server service using SSH protocol.

If you don’t know, OpenSSH uses the SHA-1 hash algorithm for generating the public key signature for end-to-end encryption. But recently, researchers succeeded in decoding the SHA-1 algorithm using a chosen-prefix collision attack.

Therefore, OpenSSH announces to deprecate the “ssh-rsa” public key algorithm and looks forward to its alternate methods such as RSA SHA-2 and ssh-ed25519 signature algorithm.

OpenSSH 8.2 now supports the rsa-sha2-512 signature algorithm by default when a new certificate is signed by Certificate Authority using ssh-keygen. However, OpenSSH prior to 7.2 does not support the newer RSA/SHA2 algorithms.

You can shift to a new algorithm by enabling the UpdateHostKeys. In the upcoming release, you’ll be able to migrate automatically to better algorithms.

OpenSSH 8.2 Adds FIDO/U2F standard Hardware Authenticator Support

Along with algorithm enhancements, hardware now also enables the two-factor authentication for secure connection with a remote device.

Adding another layer of security, OpenSSH 8.2 also leverages the security protocol standard FIDO/U2F for hardware authentication. Along with the signature certificate, FIDO devices can now be used using new public key types “ecdsa-sk” and “ed25519-sk”.

Using the combination of the FIDO token and keys, attackers can’t get unauthorized access even though they may have keys file as hardware would require both during authentication time to derive the real key.

For more detailed notes, you can read the official release announcements from here.